Closed ntkme closed 4 months ago
Looks like yesterday's node 20.12.2 is breaking our test on windows: https://github.com/nodejs/node/commit/69ffc6d50d
@nex3 I added a commit to fix the node regression.
Regarding CVE-2024-27980:
sass-embedded >=1.59.2
is not affected because in production release we always launch the dart.exe
directly since this commit: https://github.com/sass/embedded-host-node/commit/308862033e00f7a28a83c3114941efb053c395f6sass-embedded <1.59.2
would be broken if a windows user upgrades to the latest node. There is no security risk for sass-embedded
itself even if a windows user does not upgrade node, because we don't have any arguments when launching .bat
, thus there is no risk of injection..bat
wrapper in the test.Can you pull the CVE fix into a separate PR?
@nex3 Created a separate PR for the CVE: https://github.com/sass/embedded-host-node/pull/286
https://github.com/sass/sass/pull/3835 https://github.com/sass/dart-sass/pull/2220